LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   What is the BEST way to make Debian my middleman (http://www.linuxquestions.org/questions/linux-newbie-8/what-is-the-best-way-to-make-debian-my-middleman-724809/)

joebpa 05-09-2009 01:36 AM

What is the BEST way to make Debian my middleman
 
OK, I am a Windows Guru making the switch to Debian.
My system will be running Classrooms of about 30 PC's. Due to adminstration requirements there will be one Linux per classroom.
I have one NIC w/Static IP assigned by the college > eth0
I have a second NIC (eth1) that connects my switch & all PC's on my LAN.

I want the Debian to run everything DHCP, DNS, Squid, Firewall, or any other products needed. It may also handle SNMP traffic.

The questions is will I be required to have all these products/services, and how do I set the ones I do need up? Installing was a snap and network is running except for internet traffic from the LAN.

Desires:
Monitor all web traffic
Assign IP's to LAN
Block web traffic outbound
Block bad traffic inbound from ISP
Allow all internet traffic to pass from LAN to WAN while being watched and possibly blocked
LAN traffic stays on LAN side

So the general plan is to have the box being the middleman for anything and everything.

I am not sure if I will need all of these or maybe I need something else IP routes, run it as a router, or something I haven't heard of yet. I still don't know everything Linux can do yet.

So learn me oh wise ones. I am luke and you are OB1. Show me the path!!

If there is something you know I don't need to use please advise me.
Joe
MSM/MIS/MBA A+ Semper Fi

I will most likely switch my home network to follow this similar path once determined.
Thanks in advance

sarin 05-09-2009 02:45 AM

Hmm... Don't know if I got your question correctly

You need...

Quote:

Monitor all web traffic
Block web traffic outbound
1. A proxy with lot of access control stuff. Look at squid.

Quote:

Assign IP's to LAN
3. You need a DHCP server. Debian should have one. Fedora has a server from https://www.isc.org/software/dhcp

Quote:

Monitor all web traffic
Block web traffic outbound
Block bad traffic inbound from ISP
Allow all internet traffic to pass from LAN to WAN while being watched and possibly blocked
LAN traffic stays on LAN side
2. You need to configure a set of firewall rules. Look at iptables and firestarter

Well, most of it should be part of any default distribution. However, you will need some experience for configuring.

linuxlover.chaitanya 05-09-2009 03:54 AM

Most of the possible needs and packages that you would require to get your debain upto the task is to your knowledge.
What you require, as I understand, is the help to configure your debian for the task. If you have experience on Windows and are no computer noob then it would not take much time for you to learn new things, though many of members here will disagree with me.
What you need for your task is already given in the previous post.
If administration is what you are looking for then you should look at webmin. It would not be much of installation headache if you have internet at debian box.

sudo apt-get install webmin
should do it for you.
It is a complete administration tool that you run from a web browser and most of the tabs are self explanatory.

joebpa 05-10-2009 02:17 AM

sounds good so far.
 
Ok so unless someone knows of another way it looks as if I will need
DHCP - to handle giving out my IP's on the LAN side.
Do I have to use DNS?
Can I get away with using a router/gateway to ensure I have Internet access from the LAN side.
IF the Squid is capable, can I just use the Squid to forward any internet requests out my eth0 (WAN) If this is possible then I don't see a need for DNS.
I still think I will need the Firewall, because I don't believe Squid can filter/block to the extent I desire.

linuxlover.chaitanya = Thanks for your response, The webmin software installed after I updated my broken packages. I originally had 1.290 and that installed ok, but when I found 1.470 it required additional packages. I resolved that and it installed without issues. It does seem to be a great tool for management.
Is there a way to access webmin remotely? I would like to be able to access it from home/work/where ever i am?
Joe
Yes you were right i have been running windows networks since mid 1990's. I am familiar with many aspects of domains/IP/routing/dns. etc. just not on a linux level.
Thank god for standards.

baig 05-10-2009 03:23 AM

Hi,

As you said you are new to Linux and you need to configure a firewall. I think this link would help you generating a firewall script according to your needs.
Code:

http://easyfwgen.morizot.net/gen/
Cheers!!

salasi 05-10-2009 06:59 AM

Quote:

Originally Posted by joebpa (Post 3535233)

I want the Debian to run everything DHCP, DNS, Squid, Firewall, or any other products needed. It may also handle SNMP traffic.

and

Quote:

Do I have to use DNS?
In your earlier post it seemed as if you knew that you needed DNS, but now it seems like an open question. You might, technically, need DNS or it might just make life easier for you, so it may not be enough to know that you don't need it.

If you are running an externally adressable website on on of these network segments, then you will need dns (but, equally, that's not the same as needing a dns server). This is normally a very, very bad idea, so I'm hoping this isn't the case.

If the classroom computers need to access a number of different servers, and accessing these servers by name is a convenience, then there may be a case for running DNS internally. You say nothing that makes this seem to be the case, so from the information so far, so it is quite possible that you don't need this.

(Note, that even if you do need DNS, this isn't the same as saying that you need BIND. There are servers that can do both DNS and DHCP and are simpler to configure than BIND, so there reasons to consider other servers.)

Quote:

Monitor all web traffic
You can get a certain amount of monitoring from squid and associated utilities. Whether this does what you want is another matter; if you want to tie web pages back to a user, there are a certain number of stages to go through. You'd probably know which IP address that was, but that's an IP you may have given out dynamically, so that doesn't even tell you which workstation that was, and even if that was tied to a workstation, you may not know which user was logged in at the time.

But if you merely wanted to know that someone in the class had tried to access a 'bad' website, that would much easier.

So can you define exactly what you want?

Quote:

Block web traffic outbound
You don't seem to mean 'block all http/https accesses from internal computers', so what do you mean?
Quote:

Block bad traffic inbound from ISP
If you can define an iptables rule for it, you can decide how to deal with it. If, however, you know that its bad traffic, you should be trying to drop the packets at the perimeter of your network, not at a point well inside (or, you could argue, trying to do both is safer, but then it might be more difficut to administer...).

Quote:

So learn me oh wise ones. I am luke and you are OB1. Show me the path!!
Well, I don't have that many wrinkles...yet. The first tip is that one thing that determines how good the answers are that you get is how good the questions are that you ask.

I'm sure that you can do something very like the thing that you have described, but your description was hardly a system specification, and some of the descriptions were capable of more than one interpretation.

linuxlover.chaitanya 05-11-2009 12:23 AM

Quote:

Originally Posted by joebpa (Post 3535951)
Ok so unless someone knows of another way it looks as if I will need
DHCP - to handle giving out my IP's on the LAN side.

If you think you do not want to give static ip addresses, you will need DHCP server running. But if you give static ip addresses you may have more control over your network if you do not want all the machines to have similar access to the network.

Quote:

Originally Posted by joebpa (Post 3535951)
Do I have to use DNS?
Can I get away with using a router/gateway to ensure I have Internet access from the LAN side.
IF the Squid is capable, can I just use the Squid to forward any internet requests out my eth0 (WAN) If this is possible then I don't see a need for DNS.
I still think I will need the Firewall, because I don't believe Squid can filter/block to the extent I desire.

I think squid can do a good amount of url filtering and putting up dansguardian will give you a lot of control over the content of the web traffic. You will and should need a firewall even if you are running squid for brute force attacks.
You should not need dns if you have a router/modem and if your isp has given you one. If you still want to put your own dns to keep isp dns away from users, then you can configure your dns to forward all the queries to your isp dns.
Quote:

Originally Posted by joebpa (Post 3535951)
Is there a way to access webmin remotely? I would like to be able to access it from home/work/where ever i am?

You can access webmin remotely. You should consider configure webmin to know which requests to allow and from which ip addresses. And then you can use it remotely like
http://ipaddress:10000


All times are GMT -5. The time now is 12:05 AM.